Currently Google requires you to create an API Key that is specific to the domain of where the map will be served from. How does Google enforce this? I want to do the same thing.
I expose an API for my service but want to allow clients to embed calls to the API via javascript and not just from the server. I could secure it with just a random token but of course this could be easily spoofed by anyone looking at the code on the client machine.
I always understood this concept to not be possible but somehow Google does a good job at enforcing it.
I'm quite certain they use the REFERER URL to determine where the call is coming from. If the domain doesn't match what's assigned to the key, it's an invalid request.
For a practical example, using PHP you can check the domain using $_SERVER['HTTP_REFERER'] to check the referer. If the domain matches, return a valid response. If it doesn't, you can return a 401 Unauthorized or other response.